wednesday the supreme court haerz a case on the constitutionality of a mississippi law banning most abortions after 15 weeks of pregnancy. live coverage of oral arguments at 10:00 a.m. eastern on c-span3, online at c-span.org, or watch full coverage on c-span now. our new video app. >> next a conversation about cyber security threats and challenges. speakers include u.s. cyber security director jen easterly and house homeland security ranking member john catco and is hosted by the center for strategic and international studies and is a little over an

hour. >> i'll ask a few questions and then turn and open it up to the audience for questions. i am looking forward to today's event. i have been looking forward to it all week. a great way to close out cyber security month here at csis. let me start, representative john katco is the republican leader of the committee on homeland security and he represents the 24th district around syracuse. a former prosecutor in new york he worked on numerous cases. i saw he has extensive rico experience. i think rico is perfect for cyber security. he comes in well prepared and has served on the homeland security committee and held a number of leadership roles including ranking member of the cyber security infrastructure protection and innovation subcommittee and will tell us about some of the legislation he has inn the works. director jen easterly probably known to j most of you, directo of the cyber security and

infrastructure security agency. prior to that at morgan stanley in new york. this is sort of a new york event. i wasn't planning that as we did it but d upstate and down state covered. distinguished career at the white house deputy for counterterrorism and msa. two time recipient of the broad star. west point graduate. she asked me to stop there because sheo doesn't want me t gogo through the whole list. i am only half way through so, again, two great speaker, two leaders ins the field. i think critical infrastructure protection has been highlighted by recent events we've all seen. more importantlyly by the activities not just of russia but china and iran. this is a very timely series to have a discussion of and representative, let me turn it over to you. >> well, thank you very much for

that nice introduction and obviously jen is an amazing person and i am happy to be here with her. thanks for having me. i could pick no better way to close out national cyber securityty awareness month thano becl discussing this very issue with you all. a i am delighted to be here with my friends. i want to thank director easterly foror her service not only over the past 100 days in her new role butol in the cours of her 20 plus years in the military. i have been thoroughlyli impressed by the close relationship csisa and the national director have built and partnership is the result of leadership at the helm of bothin those fine individual. that level of collaboration and communication is essential in protecting federal -- our nag's critical infrastructure and i hope to see it continue. we don't have the luxury of seccumbing j to jurisdictional infighting. those days are over and can't be part of the cyber security lexicon going forward.

there is just too much at stake. let me set the scene a little if i can. i have had several priorities i'd lik' to discuss today but first would like to take a step back and reflect over the past year. we started 2021 by discussing the impact of the devastating solarr and cyber espionage campaign but the attacks did not stop there, unfortunately. while they may seem distant microsoft's exchange vulnerability and several significant ransomer ware attac including on the colonial pipeline and jbs happened this year alone. just thist year, the last few months. as a result an unprecedented number of emergency directives and aes alerts and advisories h been issued regarding serious vulnerability in cyberan threat. the past year showed it's not letting up as evidenced by microsoft's recent announcement the same russianan actors behin the devastating solar winds campaign are tryingso to recrea their success.

it underscores the fact that tough talk with putin is not a sufficientdi deterrent. things are not getting better and we must n do more. one off my top priorities over the past year is not just to compete against nation state adversaries but win. if we're going to win we need to bolster csisa, making great progress in advancing its mission this year. i'm also planning to build on the success bypassing additional authority improvements this year such as supporting ranking member's bill to make the assistant director a five-year term and working across the aisle and t chamber to get mandatory cyber incident reporting yacross the finish line. that is f critically important. we'll talk more about that today. csisa must also be fully funded and ium have been a strong po opponent of growth and i am pleased the house committee passed an appropriations bill to

put it on that path. these are keyar elements to ense csisa can effectively carry out its mission as envisioned by congress. cyber incidents are rarely sector s specific. we need to continue to build on the resources as a central agency thatra can quickly conne the dots on a malicious cyber campaign's multiple sectors then share the information across the broader infrastructure community but thisus can't be successfu without this. i am pleased to have partnered on vital legislation to close this vulnerability act, allowing cisse to quickly analyze information and while the importance of the effort cannot be over stated we also must remember that there is no silver

bullet. we live in a world of an increasing web of hardware, software services and other connected infrastructure. single points of failure and systemic importance across this leads too potential for cascadig impact if compromised. most americans never heardne of colonial pipelinehe until they fekt thehe effects in the gas shortagese caused by the shutdo. most had never heard of solar wind though the software was usedse by the federal governmen and 80% of the fortune 500 companies. i appreciate cisse has been attempting to take this head on. congress must help. it is incumbent upon congress to ensure such a program include appropriate guard rails, guidance,il and built in mechanisms for industryry collaborations. such an importantam program must be done r and done right. this is why i introduced legislationor to direct the --

leveraging those new a authorits and last year's nbaa. this will allow for better defense in government and private networks and sharing information. the needd to move from information sharing to informationor enabling. ina couldn't agree more.

theas discussions of congress he centered isaround sharing information which iss important but also need to ensure the information shared with thehe private sectorct is actionable d meets the needs of a diverse set of stakeholders not a one size fits all approach. i look forward to continuing to maximize thehe effectiveness of thee programs and understand what gaps need to be solved. this cannot be done without a professional cyber security work force andpr efficient operation organization.nc i am concerned there is not yet a deep cadre of cyber security professionals needed and lacks the professionalur resources organization to bringng these individuals in and retain them.

this is something i plan to focus on soon s and i am please director easterly is making this one of her top priorities and i look forward to working with her on this effort. we know the dedicated men and women of csis have been fighting protect local government, and our critical infrastructure from the scourge of ransom ware attacks. just last week csis released an alert b regarding ransom ware targeting u.s. critical infrastructure entities. we must m do more to stem the tide. this summer i held a round table with regional representatives of csis and leaders to discuss how to help bolster entities and mitigate attacks but csis can't do it i alone. state, local government, small and medium sized businesses, and large corporations must also step up theirga game. no one is immune from this threat. we need entities to conduct

basic practices on c cyber hygie including multi factor authentication, off site backups, regular updates, and more. i don'te. want to hear about wh you do after an attack but what you areo doing before an attac. we need the white house to show our adversaries like russia and china there areia consequences their actions as i laid out at the beginning of this congress in my five pillar strategy we must impose real costs on cyber attacks by china, russia, japan, north korea. in my opinion the most malign actorer is indeed china. the aggression is a persistent, direct threat tona our nation's ability toe innovate and prosp from ane economic defense and homeland security perspective deterring and countering cyber threats from china is paramount for securing thefo homeland and maintaining economic security. it is extremely important we recognize the differences between ourselves and china and capitalize on the opportunities ourpp system of governance

possess. we must protect and encourage international norms that will allow for the trusted and successful proliferation of information and communications technologies. i cannot state clearly enough that china is a preeminent threat actor we face as a nation andd they are increasingly leveraging the cyber rem to impact the homeland. china's ministry of state security has emerged as a highly capable actor in cyber space demonstrating increasing sophistication inn operational security while undertaking a global campaign of cyber espionage for economic, political, and stra teenlic purposes. they have increased efforts to collect foreign data through both legal and illegal channels and most alarming a legitimate concern with the ability to threaten and disrupt critical infrastructure posing new challenges to the u.s. homeland security, prosperity, and resilience. the u.s. needs to continue attributing andnd punishing to e

most severe extent possible nation state sponsored cyber intrusion. homeland security apparatusd should bepe poised to defend intrusions while protectingic system kali importt critical infrastructure. there is nothing more than important thane that. so iha guess in closing i want say i would be remiss if i didn't mention thati i'm also particularly excited to be here csis and the collaboration on the executive masters international relations, a t degree program taught here the csis campus. i look forward to future engagements and topics impacting our national security and i look forward to today's conversation asuc always. thank you very much and let's have ath good talk today. >> great. thank you, congressman, director easterly, over to you. let me just say i hope we can come back to some of the -- you raised many issues but i hope we can come back to legislation and

also retention which doesn't come up enough but director easterly, please. >> well, thank you so much. i am a big '80s music fan. i have to say in the mortal words of meat loaf you took the words o right out of my mouth. i completely agree with everything ranking member katco said and i thinkn we are in foa very rich discussion. let me start by thanking you jim forr hosting this and for your leadership over the years, great friends and contributions to these important issues and ranking member katco who has been such a fabulous advocate and partner for csis and our missionat at the nation's quarterback forna cyber defense. as the ranking member mentioned we are at the end of the cyber security month. i am personally exhausted but there's a lot going on this

month. wewe hosted the summit. hopefully you've seen it. if not h we have posted it on csisa.goff. that is my -- on cisa.gov. we areca going to get that in t consciousness of t americans because, you know, as i always like to say this is not a technology issue but a people issue. we have a lot of work to do but itwh starts with the basics. for those who may not know about cisa, i'll give a couple lines. we were established at the end of 2018. our third birthday is on the 16th of november. we were established to fill a gap to be the nation's cyber and infrastructure defense agency. our mission is to lead the national effort to understand, manage, andan reduce risk to th cyber and physical

infrastructure americans rely on every hour of every day. to get gas at the pump, food at the grocery store, money from the bank, power, water, health care. it is the systems and networks that underpinem all of our live. now, as we know, over 85% of that infrastructure is inn private hands so securing it has to be a shared responsibility. this conversation is all about collective defense. in that particular context i think we are at an inflection point. never hasat collaboration matted more given the threat environment we face. you just heard a little bit about it. it is cisa collaboration along with innovation and service and accountability is a core value. witha public/private partnershs

and information sharing reallyy at thehe center of our origin story. as wesf continue to transform a mature the agency my intent largely and the representative alluded to this is really informed by the past four and a half years in the private sector at morgan stanley. that is to shift the paradigm from arguably hackneyed terms like public/private partnership to deep, operational collaboration. we can talkk more about what that m actually means. from information sharing to information enabling. what does that mean? timely and relevant and most importantly actionable data that can be used by network defenders tore increase security and resilience of theirr networks. thanks to ranking member katko and the u.s. congress we have provided a lot of the authority to make this vision a reality. authorities with the ndaa,

$650 million with the american rescue plan act, then of course a whole boatload of responsibilities we got in the cyber executive orders.ex we are aggressively moving forward to implement all of that and we can talk through a bunch of it i but i want to hit on on thing the congressman said and that is the joint cyber planning office that we launched in office, called the joint cyber defense collaborative known as the jcdc, i want to call it the advanced cyber collaborative but my lawyers wouldn't let me. we still do a lot of rock 'n roll there. itss encompasses the joint cybe joint planning office but ita i a larger recognition it is more than planning. it takes a full suite of capabilities to really make a difference for our nation's cyber securityy posture. inav some ways the jcdc may be more evolutionary than revolutionary because it is the maturing of what i think of as one of our super powers our very

expansiveie information sharing authority to share many to many. that is truly powerful when talking about having to move at the speed of cyber. at least in a few important ways itnt is novel. it is the onlyly federal entityn law that brings together the full powerge of the federal government. fbi, cyber com, dod, doj, odni. along with the imagination and innovationon and ingenuity of t private sector to create a common o operating threat to th environment. when bad things happen we all do heroic things but this is really about proactively planning for and to exercise against the most serious threat to the nation and implement those planse to drive down scale at risk to drive down risk t at scale. the second thing worth noting is our plan partners are the

internet service providers, cloud service providers, cyber security companies thatur under pin the technology of all of our infrastructure. as a consequence they have unparalleled visibility into domestic infrastructure. this is really helping to solve that blind spot problem the i can't see the dots problem. you don'tat want the governmentn that domestic infrastructure but you have the visibility afforded by these companies in a way so we cannott only see the dots bu connect themm together and then drive down risk at scale. as we know in our globally connected worldrl our infrastructure and american way of lifeur really faces a very we array offa risk with very serio consequences. and today everything is a system of systems. we i really can't just think abt it as siloed critical infrastructure sectors. you have complex designs with numerous interdependency,

systemic r risk that can have cascading effects. i'm sure nobody will get this but i'd like to call this the dirks gently problem. everything is connected and independent and vulnerable. we've knownnd for years nation state actors, criminals, increasingly leverage cyber spaceng and traditional physica needs to subvert our power, american security, and our way of life. it was exacerbated where we had an unprecedented number of americans working from home during the pandemic and it really expanded exponentially and i would say what the congressman said about ransom ware truly a scourge affecting all of our lives every day and really eliminates the point about digital oivesll and physi infrastructure. everything converging. you see the attacks that can have real impacts on schools,

police departments, on small businesses around the country and growing in number and scale. iam am particularly concerned about the dmok -- democratization of these. theree are help boards for management, initial access brokers that gain and sell entry into victim networks. it isne an ecosystem where all u need is a little bit of money to launchch an attack.st just too little friction in the system.. that is why this has to be more than a whole of government or whole of nation but a global effort to disrupt these actors wherever feasible. that means cost and position. it alsoo means what we call at cisaet deter through futility making u.s. networks sufficiently hardened thatde th economic cost of a given intrusion is higher than the benefit and causing most of the actors tosi seek another way to

achievehe their goals. we think we can achieve sustainedin process in reducing impact and prevalence of intrusions affecting the networks over time. it ain't going to happen tomorrow or next week and that is why we all need to work together to leveragehe all of t tools of national power. one of the reasons we want a more informed public so launched a one stop shop, central location for guidance control go there and n understand what itde is but mor importantly how to defend yourself. i do want to close by specifically thanking ranking member katko for taking on a leadership role on a variety of cyber security and infrastructure priorities from enhancing the industrial control system capabilities to authorizing cisa's ability to identify and designate system kali important infrastructure. we hope that ends up in the ndaa to really ensuring that cisa receives the critical cyber

incident information via mandatory incidentt reporting. we can talk more about all of that. but that support, that leadership is incredibly important to the success of our ability to help defend our nation. as i always say, it is, it has to be a team sport. when we work together we can achieve incredible things. so thanksib again, jim, for inviting me to be here with you alongside ranking member katko and i look forward to a very rich conversation. i already ha questions. that is a tribute to you. let me start with representative katko, securing systematically important infrastructure act and the capability enhancement act.

you can talk about whatever legislation you want but maybe you could telll us what is on your legislative agenda. >> i think systemically important infrastructure act is something i am proud of because it is my thought process how to deal with this unbelievable sourj of ransom ware attacks and that is to set up a collaborative model whereby it is not just regulatory in nature but much more collaborative in nature and starts with identifying critically important infrastructure. if everything is then nothing really is.av we have to drill down. the input from the private sector, drill down in a collaborative manner to identify what ise truly critical and th dedicate additional resources to those r sectors so they can, we can at least be as sure as we possibly can be that those

sectors arer as secure as they can be from cyber intrusion. that is the one i really want tt talk about. because to me, any industrial control systems are important and it gives cisa more power in that realm butpo really with respect to -- it is not just regulation. it can't be.st it hasas to be about setting th tone. i really think this bill would set thehe tone for having that model whereby we look at seemingly intractable problems in the cyber realm and don't just say i and congress have all the ideas. don't just say i at cisa have all the ideas or i in the private sector have all the ideas. work together. sit w down.n. figure it out. tell us what you think is important and then mplet's take the most important of the most important and really drill down to make them as safe as possible.

obviously a pipeline for example another thing. so we don't have these types of things going forward. one thing that really bothered me about the colonial pipeline attack isco when the ceo came before me andac told me all the things they did to harden his system --t we don't want to ha thoseth discussions. we want discussions where we talk aboutut hardening the systs assuming you will be the next person or entity to be attacked. and use cisa's tremendous growing resources and talent to that. that i' basically how i see it l >> i agree. i think this is hugely important and not with standing whether legislation or not, i certainly hope it does, we are already thinking through thee model. somo we're prototyping a variet of differentnt approaches in ou national risk management center to try and start identifying

those entities that are in fact systemically important. we're doing it based on economic policy, network centrality and dominance in the national critical -- and because again we look at sectors but all sectors are connected so we have to look atk these from a national critical function perspective. we are calling this effort because -- we are calling it primary systemically important entities soly essential in casei think it isk important becausee might talk a little about supply chains but in cases where these entities are part of the supply chain for bothti hardware and software thate can increase ri that collaboration you talked about will focus us on how these entities can workk together to create supreme courtge and resilience off vulnerable technology throughout the supply chain. we are looking at this through a

variety of lenses and will move forward and do it whether it ends up in legislation or not but i thinkno signaling that ending up in law will be very helpful into continuing to brin the private sector to the table. we are in a state where critical infrastructure is much more vulnerable than ituc should be. that is what i worry about most every day. >> we did get one question in reaction to representative katko's remarks and i hope it is an easy one. is there a plan to attach either of these bills to the ndaa? maybe you can talk about the vision for moving forward. >> yes, of course. ndaa has become a very potent vehicle to get legislation passed that sometimes may struggle to get going on its own. have an excellent working relationship with that -- the

area and the house armed services committee. we have several bills put in this year and we're hopeful if and when it goes to conference i'll be on that conference committee to makee sure those bills stayay in there. absolutely have to become a very potent ground for doingg that. we need the mark ups and the other things but it is a very potent source and great vehicle for sure. >> four more questions while you two were talking. m we aren't going to make it but we'll try. >> i'm having a hard time keeping up with all the acronyms. you just threw another one at me. psis. i'll never catch up with you guys. >> better than stickies, man. about it.t >> sicky was not a good choice. you mentioned the executive order and how many tasks cisa

has as a result of it. tell us how you are making progress on implementing that. you have a year deadline or less? >> the most aggressive i think in the history of eos but it is good because it signaled a real sense of urgency. it was probably the most technical eo. i servedur in the white house fe and a half years in two separate administrations so i have seen a lot and written a lot but it was good. it met the moment. the post solar winds moment, post microsoft exchange moment incredibly important things in that so really all about modernization of our architecture which iss importan because we are dealing with tech debt, we have to modernize and create visibility and substantiateha technology that allows us to have end point detectionse and response and th to build a system where we can run analytics across the federal civilian executive branch allow us to

understand malicious activity. right now we are dealing with 102 separate departments and agencies, we have to be able to manage the federal networks as an enterprise. this ain't't easy. it is a pathway all about the rightt architecture, zero trust moving to cloud, modernization visibility. there are other interesting things inn there about getting the playbook right, building a cyber safety review board which i am psyched about and then improving information sharing with federal contractors which is going to really use the government's market power to drive change in the rest of the industry.th we have about 35, jim, a lot. almost three dozenfi tasks we either led or were part of and team cisa has met all of our deadlines. you know, hugely important, i actually think this can make a real difference. a so i am excited about it.

>> i won't keep you updated on how many questions keep coming. we arere further behind. one of them was from a journalist andem let me direct to representative katko. he asked is cyber security still a bipartisan issue on the hill? in the chat i said i think so but you would know better than i. can you give us -- >> yeah. no doubt. of the things that's drawn me to homeland security other than my background as 20-year federal organized crime prosecutor inou el paso and pueo rico,r. albania, all over the world really, upstate new york, that kind of -- my experience in that realm was task forces and putting different people from different areas, different law enforcement entities under one roof really for something that made me r realize how important the collaboration of bipartisanship is.

that is what drew me to homeland security as well. yeah, i do think it is still a very, very bipartisan effort because we all want to keep the country safe. we first start identifying things like psis and things like that, you naturally think in a bipartisan manner. what comes next is where there may be some divergence. what is d the tension between encouraging andng fostering collaboration and over regulating. that is the rub we may have going forward to some extent but i think we can work it out. i think one way to do that is, going back to ndea for a second, bite sized chunks of legislation that can be put into the bill and then have real meaningful -- start with my bill to start with is the foundational approach to

what we need to start doing in the infrastructurelo realm. then build upon it slowly. ifif you try to do everything a once and don't take thein incremental approach there will be more divergence. generally speaking wepa are on e same page and have to do more to help. we all agree cisa is what needs to be a $5 billion agency in the nextt five years. that is not a figure pulled out of the air. looking at long term needs we know it needs to be propped up. initially there wasn'ter a peepn either side. there are a a lot of areas we'l agree and will going forward. i am not trying to blow smoke at my friend there who likes '80s rock like i did but having good leaderss in cisa and all of the,

we have goodmi leaders who are collaborative minded and thatims very important, too. when we see them doing that we are more apt to ourselves and that is important. >> it is not fair when you answer myu next question befori can even ask it. i'll try and salvage it because i think it is a good one. people want to know your views on resources and you've given them. they also want to know what you are thinking on oversight. maybe we can haveat you, this i your big chance to say what more you would like to see. >> i'm not worried about oversight because jen and i talked all the time. we don't have to wait for hearings. if we have an issue or concern we talk to each other. that is really important. it is about that relationship going forward. i am very confident going forward oversight won't be an issue. it is because of their openness and the culture that is being developed even before jen got

there but certainly since she has been thereor is a good collaborative effort going on and thatoo is why we understood taking a look, i am kooeg that up with jen to have some fun. tell us what you need. i t got the checkbook out. >> as you mentioned we are getting a move up in the budget. we got the 650 million. i do think that we are going to need a larger budget as you said, ranking member katko. as we are a very young agency and transforming, we are making sure we are putting all the processes inn place to absorb te funding and we can spend it responsibly and effectively. and so i'm excited about being able to bring in new resources. i am particularly excited to bring in new people because i think at the end of the day this is all about talent and really

not about technology. it is all about being able to bring on the right talent. we are and this was a thing we were directed toin do, i couldn agree more, the initiatives in lastst year's, how you are lookg at this year's, it really does help us with those sort of incremental chunkshe of things helping usy. strengthen the agency. we are inwe the midst of doing for structure assessment sort of a task as i would call it in the army that is looking across all of our organization to see are we right side? i would point to one thing in particular on a little preview. we have an amazing field force that has grown up over the years.s. those are our cyber security advisers. they were at the event you mentioned. we have a protective security adviser, chemical security inspectors, emergency folks. i am looking to probably grow

our cyber security folks, because i think we need a greater presence inie the field. that is where the companies are, where the stateca and local fol are, where the small businesses are. so really increasing that is one thing we're going to come back on. and the other thing is we are likely going to look to increase our vulnerability management capabilities, our threat hunting capabilitiesar and incident response i capabilities and we' probably be building off the jointff cyber defense collaborative, jcdc. i do see more resources. ins terms of authorities, as y mentionedau at the outset in tes of human capital we are working really hard to ensure we are streamlining ourha ability to bring in talent. thatk is a tough thing and a government wide tough thing. government just does a bad job

att this. one thing i am very excited about that congress gave us seven years ago is the cyber talent management system. we are about to put that into play on november 15erth. that will allow us to hire people and talent much more flexibly based on aptitude and attitude. it is more important, just as important that culture bid that thee congressman talked about ad we can pay them closer to market. probably can't pay what i could pay people at morgan stanley but closer so we can be more competitive withe private sect with other places. we are looking for people who wantco to come in whether for a career or aer couple years to hp defend their nation. that i' a calling, an ethos. yeah we want talent but the right type of talent. so the congressman knows if i feel i need something for i the nation i will call him up or

text him and we'll have the conversation. it islo fabulous to have that kd of support.pp to your point i feel it is very bipartisan. which to me is a long time independence and somebody who served innd both administrationi am incredibly encouraged by. i think you're on mute, jim. > you get the prize, jim. >>se thank you. when i was working with representative mccall on t the bill that eventually created cisa i wanted it to become the cyber security agency. and leave out the "i" because it has a physical. one of the questions we got is where doe physical threats fige into your thinking for both of you for your thinking on cisa andgi legislation? maybe you can touch on that one. >> jen, you should take that

first. >>fi thanks. great. jim, i love you, man, but it is pronounced cisa. >> got it. >> i'll send it back to you, one of my rubric cubes. it is a great question. we are the cyber security division as well as the infrastructure security division and that was where weon greww ur from, from the threats of 9/11 and terrorism. let me makee two point. first we live in a world where everything isno converging. everything is under' pinned by technology. it is hard tod decompose how we're thinking about critical infrastructure. it is also if you look at cyber threats that can have physical implications. i actually h think that it was really good decision to put the cyber piece together with the infrastructure piece.e. the threats are not just about cyber. when i gotust to morgan stanley they asked me to build their cyber defense s center, the cenr of gravity for dealing with

cyber threats and two years later afteryb we built this big beautiful lacenter, they said, jen, great. we love it. now we want you to build a center thatbu deals with all sos of threats. from cyber to technology to fraud tod terrorism to civil unrest to weather events to pandemics. because it is aen hybrid world live in where a health pandemic turns into a cyber pandemic. again, very hard to desegue re re -- desegregate these things. i think it is actually smart to put these things together. >> i couldn't c agree more. i knew she was going to answer beautifully. it is really hand in glove with my theory of cisa and that is that they are quarterbacks of this area. the critical infrastructure pipelines are part of that and

why would you separate that off into something else. it screams for a quarterback and the quarterback screams for cisa. that is how i see it and i agree with everything else jen said. >> we've gotten a series of questions g revolving around th private sector. i was pleased. i think it was jenhe that said e was tired of the term public/private partnership which is nowhe entering its 25th year. pretty darned good for a policy that hasn't quite gotten off the ground and collaboration might be a better word. maybe both of you can tell us. we have a question about incentives, tax incentives in particular. i can break that into parts but why don't we start by talkingar about when you say collaboration with the private sector what do you bothp. have in mind? >> i look at it this way. when i was a prosecutor, when

9/11 happened, it happened because federal state and local law enforcement were not on the same page. there were turf battles, lack od trust, a lack of collaboration. i was doing death penalty cases inpe puerto rico. one agency, federal agency, didn't want to work with the other because it didn't require four-year college degree to be an agent. that is the type of ridiculousness we had tot deal with. so after 9/11 we kind of molded into a terrorism realm. we were already trying in the drug enforcement realm. the federal, state, and local all under the same roof with analysts from the national guard for example, s whatever we coul do, and say we are going after "x." we are going to focus on "x." i couldn't give a -- if you were a fbi or dea or anything. let's get the job done. that same s type of attitude ha to come to this.

right? i reallyy think with cisa you haven to have the private sect built up with a a certain degre of trust and it is almost like muscle memory where okay. we got hacked. let's get this information to cisa in a way that is not too burdensome. cisa has to look and okay. got this information. what kind of directive do we see trends coming, get out quickly. and ityo is the same type of id ofn breaking down barriers to collaboration. one concern i have is if o you regulate that, you are going to end up having a lack of trust and too much bureaucracy and -- where you have too much -- you need some regulation obviously. itit can't be the wild west but

you have to work with the private sector to -- just like i worked with state and local -- i was a a fed all the way through but worked with them to get them to trust us and share with us the data. i can tell you to locals they always had the best snitches, the guys at the street level. somebody from the fbi wants to talks to you? like screw you. b the locals know how to do that right?t they became a hugely valuable portion of thee task forces. i look heree at the private sector, it has a lot to offer and it i is not like we're the government so t we'll tell you what youou need to do for cyber and that's it. no. because as bright as jen is she doesn't have all the answers and as bright as some people are in private sector they don't havev the answers.

you put the team together and haveth a good interplay collaboration. that is when you make a real difference and how i view the wholeg thing. that is how i see it. >> i couldn't say it much better than that. i am a big puzzler. a lot of pieces of the puzzle coming together. the government had somege piece the private sectorve has others. i havees a great appreciation f the power of the private sector just having spent four and a half years as a senior technologist in a big bank. there is incredible capability and technologists but pieces that they're seeing that can help t enrich what we see in th government andse vice versa. difference between partnership in my mind is partnership is you bring people in every pweek, maybe every moh or quarter and you sit down and havesi a meeting and drink coff donuts and talk about what you want to accomplish. operational collaboration is on a very regular basis, you know, day-to-day you are operating in

the same space, sharing informationn in near real time with the sense of urgency mandated by the threats we can save from cyber and that is what we are building. another thing, it is early days and wear are in the midst of building it but i constantly hear and probably said when i was inhe the private sector, we send stuff tohe the government d we see nothing back. and so we want to change that as well. right? we want to -- we're not seeing anything with it or yeah we are and that can happen in the channels we are developing to achieve exactly what ranking member katko said which is the most important word whether it is at business relationship or marriage and that is trust. incredibly hard to build incredibly easyed to lose. so every day we are working to build that trust and it goes to the lastt point. i agree, regulation in some

cases is useful as a bank we were incredibly regulated. cisa doesn't want to be a regulator. the magic of cisa is we are a trusted partner, the people you call when you need help, when you need assistance, when you need cost free services and we're the ones who share the informationne in an a anonymous way that protects privacy of victims to prevent other people from getting hacked.s having us as a regulator would really impact our ability to establish those trusted partnerships. >> i'll just reiterate that. it is one of the things that comes up repeatedly in interviews is that when you ask companies what agency they want to talk to, cisa is always at the top of the list. let's talk a little bit about reporting and a awareness. there are efforts yet again to get people to report cyber incidents.

what do you thinks. we'll see ce out of that effort? that is really a question for two of you. >> go ahead. >> we strongly support this. because it goes back to my theory of the case which is everything is connected, everything is interdependent, everything is vulnerable. we allll ride on very similar technology back bones. so ifhn you are seeing an attac in a incident that can be trace back to other places in our critical infrastructure. it can have ala real impact on e nation. and so very important for us to getfo to allow us to share thatn an anonymous, useful, relevant, timely, actionable way to enable other network defenders to protect themselves from that threat. as i i said, many times, we are not here to name, shame, blame, stab the wounded. we are o here to help. we are here to share that

information, to a prevent other from being hacked. we think it is incredibly important b legislation. we thinkib we need the informatn as timely as possible. also i know when you are managing an event in the private sector underer duress it takes while to figure out is there really something there? some you know l right away thiss a badme day. some you're really not sure. what i want to make sure is we are not over s burdening the private sector with having to send this information that is erroneous nor do we want to receive erroneous information. this is about signal not noise. we have to get that right and that w is why we are -- we wanto make sure this is not burdening them or us but actually raising the baseline of the entire cyber ecosystem. this is good for everybody. i wishr people would not think about itk as a regulatory

reporting thing but about providing information you need to keep the entire ecosystem safe. >> this is setting up the foundation on which the flow of information can happen. i don't see it as regulatory but as nudging collaboration. if you c have incident reportin butrt cisa doesn't get better a operationalizing that incident reporting and coming back with directives and assistance to the private sector then it is not going to work. this is the beginning. like i said, before, you take these incremental steps and you build upon them as you go. and instead of the big, massive bills thatt everybody thinks wil solve the world's problems and often prdon't, take the incremental steps and look. you got to share this information but we understand it

can't be a burden. it can't be an undue burden. we understand it can't cripple your ability to respond to an incident at thepp same time. you have to meet these reporting requirements. on the other hand, cisa gets about 1% if that of the attacks outhe there in the world and th more information they have on those attacks the better they can send out directly to help everybody. it is a force multiplier. it really is to me a foundation of how much the collaboration can happen. again, sorry to keep going back to the task force but that is what m works. people come into the task force they have memorandums of understanding and one of the kpeeit components is informatio sharing. you have to exchange information. everybody liked it exceptt the fbi. we got past that. the agencies federal, state, local afteraf a while it became muscle memory that the exchange of information happens and we

haven't had that cataclysmic event since 9/11 because of it. that is how i view it in the same manner. >> we got an easy one that i'll throw in because i want to come back to reporting and awareness. the easy one iss where did you get the shark? >> it was a birthday present from my husband many years ago. in my first duty assignment with the army i lived up on pipeline beach, big scuba diver, terrible surfer, but love thele water. shark comes withr. me everywher >> that is awesome. >> so we've tried this reporting before and it hasn't worked. one of the reasons it hasn't worked is we got the threshold wrong you might remember that there is a material incident threshold that exists now and it turns out there's never been a cyber incident that crossed the material threshold incident levelid set by the sec. you've touched on a. lot of it.

it is going to be post facto.ed that is a question. how do youl build the trust to get over people's reluctance to share. what are the assurances we need to get people to trust to share information in realtime and not two weeks later? > go ahead, jen. you're first. >> we are, what i say is we recognize all of those issues. they've been around for a long time, oneti of the reasons they set up legislation in 2015 to provide liability protection for sharing information. and so we are in the midst of building something which i think isis a paradigm shift. we s bring people together, the right people to share information. it is already happening. i think the congressman mentioned the triple field thing we worked with the fbi about a type of ransom ware. that was enriched by our partners from broad com and code

ware and we are seeing already value in sharing with the private sector. that is the products we're working on now to provide to the wider ecosystem. on the incident response don't get me wrong. we get reporting. we certainly have a lot of work going on inin the field but as e congressman said i think it is probably at very small percentae of what is out there. and we are going to have to work our way through this. it is why the rule making period, the consultative rule making period, i think you said the right thing. what is the threshold so we are not over burdened with noise and the w company is not over burded with providing us erroneous information. like everything else i said over the past year, we're at a moment. we aret at an inflection point. we havet, the right leadership congress, the right leadership across the federal government, a sense of urgency, people making us a a priority across the

country, and so we've got to get after it and take advantage of it and bad on me if i screw it up. >> there isp. not much to add. she is exactly right. it is trust. it is threading the needle between getting them to report to make sure they won't have liability butur at the same tim making suret it makes it worth their while to do so. what she articulated is exactly what we need to do. >> we have a lot of questions. i'll pick one topic and give you each timena for a final remark. the topic is the imposition of consequences on actors who are doingin things that are inappropriate in cyber space. if theycy are a criminal we kno what to do if we get our hands on them but if they are a state we've beenn stymied. i've been in talks with a number of nato countries that -- what is your thinking on consequences? where do you want to go with this? we hear aer lot, of course, if

do something that will make the russians mad, that is actually a powerful argument in some circles. i don't really care but maybe you do. tell me what you want to do on consequences. >> well, i think the consequences for me, quite frankly jen and i have had discussions even this week about it. i think we need to do more than we're doing at a minimum. we can't have china acting with impunity attacking our systems and malign actors in russia acting under the perimeter of putin to be going unchecked. they largely have. i think we need to not do something to start worrell war 3 but we do need something that is going to s make them of feel th pain. b sanctions are a big thing. i think ath huge thing. personally, notlo articulating what jen was saying, you look at someone like echina, involved i a number ofee major attacks on r

homeland. i don't see a lot of response to it yet and i don't see sanctions that have really come out and been meaty. you roll that into the fact that china not only is doing that but they're,a you know, involved i genocide of their own people and yet we're going to trot into china in sixix months and allow them to look like a world leader at the olympics and like everythingng is okay? that shouldn't be. we should rethink those types of things. we do need to find a balance and without going overboard, definitely coming back with a firm hand. as agu prosecutor, bad guys onl understand strength. they understand nothing else. they are not intimidated by words. they are only intimidated by action. i brought someone in, a really bad guy, if they sense for a second that we, didn't have a strong case or have them dead to rights he would get everybody

including himself to go to trial and blah, blah, blah. but if he knew he was toast and he knew his options were mandatory life or if he cooperates might get h 20 years chances are if i do my job that guy is cooperating and we're going after many more criminals. we have to project more strength than now. it is one of the five pillars of my m full cyber plan and jen is far more expert in this area than i am and definitely has enlightened me. at first i'm like just fry everything in their country. you have to think about that now. we want to ratchet it up. there are ways to do it and i think sanctions are a very effective way. >> i think we are over time but i would say we all know we have the glassy house issue. i think of it in terms of peace, deterrence, disuasion and you

think about deterrence by punishment and there t are options, and we are in the deterrence by denial phase or capability but i agree it has to be all instruments of national power and we have to be able to stand behind when we say we'll impose costs, hold actors accountable, we have to bee abl towe have tools that can effectively do that. my world is all about deterrence by denial but this has to be a whole of t instruments of natiol power effort. >> i want to add one thing to that. that is why i think the position is so important. we have the quarterback at cisa kind of like the head coach, has tof see everything. sort of advise the president. thate is one reason i was such strong supporter of a a nationa cyber director. part ofh that should be his ro. and working of course with the

other sectors of government. we need the first look at the playing field and say okay. how bad was this? what is a good response? what is a proportional response? what is an yo fektive response? he should have a very strong say not just peoplee in the militar but english should have that authority and that stature. >> he is a great teammate. >> yes, he is. >> a pleasure to work with. >> one of the strengths we have now and i say it in a bipartisan way is we a have a strong team. the strongest team we've ever had in cyber security. all the people whose questions we did not have time to get to. i will do one for both of our speakers someoneso asked north korea chargedea the u.s. as the biggest hackinge empire in the world. is thatir true? no. okay. with that we can move on. if either of you have any final remarks, now wouldfi be a good

time. >> go ahead, jen >> i want to say thanks so mucha cyber is a team sport and i have been incredibly encouraged by what i've seen across the federal government with our private sector i partners and tn on the hiller with the incredib leadership and partnership of ranking member katko. thanks very much for the opportunity and great to spend time with both of you. >> i i echo your sentiments ando show i am bipartisan, that is not something that is very common nowadays in washington. i have a lot of disagreements with this president but i firmly applaud him for the appointments he has made in the cyber realm with jen and english and newberger. we have a corps of seriously good talent and it's being reflected and we in homeland security are feeding off ofg that. i agree with you we have a very good team and our job is to make sure they have everything they need. i want to be sure we doin that going forward and i couldn't

give a damn if they are republicans or democrats. i just want to get the job done. >> let's not forget matt olson in the national security division. greatfo team. greatur event. you guys were incredibly articulate. which was a relief. i didn't have to do very much.au thank you for doing this. have a good weekend. >> have a good week everybody. god bless. bye-bye. >> bye. c-span offers a variety of podcasts with something for every listener. week days, "washington today" gives you the latest from the nation's capital. every week "book notes plus" has in depth interviews with writers about their latest works. while "the weekly" uses audio from our immense archive to look at how issues of the day developed over years. and our occasional series "talking with" features extensive conversations with historians about their lives and work. many of our television programs are also available as podcasts. find them all on the c-span now mobile app or wherever you get your podcasts.

facebook whistle-blower frances haugen testified before a united kingdom parliament joint committee about extremism on the social media platform and the harmful effects the app snapchat owned by facebook can have on children. the uk is considering legislation to impose government regulations on facebook and other social media companies. this is two and a half hours. >> good afternoon and welcome to this session of the joint committee on the draft online safety bill. today we are pleased to welcome frances haugen to give evidence to the committee. we are delighted you've been able to make the trip to london and give us evidence in person. and, also, respect the personal decision you have taken to speak out on these matters with all the risks incumbent speaking out against a multi billion dollar corporation. i'd just like to ask you first about